i ii This work was produced for FedCIRC and the General Services Administration by the CERT ® Coordination Center, Software Engineering Institute, Carnegie Mellon University. Copyright 2002 Carnegie Mellon University iii Contents Introduction 1 Thinking About Securing Your Home Computer 3 Things You Ought To Know 4 What Should I Do To Secure My Home Computer? 7 Summary 33 End Notes 34 Acknowledgements 34 iv Property has its duties as well as its rights. Thomas Drummond (1797-1840) 1 Introduction Your home computer is a popular target for intruders. Why? Because intruders want what you’ve stored there. They look for credit card numbers, bank account information, and anything else they can fi nd. By stealing that information, intruders can use your money to buy themselves goods and services. But it’s not just money-related information they’re after. Intruders also want your computer’s resources, meaning your hard disk space, your fast processor, and your Internet connection. They use these resources to attack other computers on the Internet. In fact, the more computers an intruder uses, the harder it is for law enforcement to fi gure out where the attack is really coming from. If intruders can’t be found, they can’t be stopped, and they can’t be prosecuted. Why are intruders paying attention to home computers? Home computers are typically not very secure and are easy to break into. When combined with high-speed Internet connections that are always turned on, intruders can quickly fi nd and then attack home computers. While intruders also attack home computers connected to the Internet through dial-in connections, high-speed connections (cable modems and DSL modems) are a favorite target. No matter how a home computer is connected to the Internet, intruders’ attacks are often successful. Many home computer owners don’t realize that they need to pay attention to computer security. In the same way that you are responsible for having insurance when you Home Computer Security Home Computer Security 2 drive a car, you need to also be responsible for your home computer’s security. This pamphlet explains how some parts of the Internet work and then describes tasks you can do to improve the security of your home computer system. The goal is to keep intruders and their programs off your computer. How do intruders break into your computer? In some cases, they send you email with a virus. Reading that email activates the virus, creating an opening that intruders use to enter or access your computer. In other cases, they take advantage of a fl aw or weakness in one of your computer’s programs – a vulnerability – to gain access. Once they’re on your computer, they often install new programs that let them continue to use your computer – even after you plug the holes they used to get onto your computer in the fi rst place. These “backdoors” are usually cleverly disguised so that they blend in with the other programs running on your computer. The next section of this pamphlet discusses concepts you need to know, especially trust. The main part of the pamphlet explains the specifi c issues that need your attention. Most sections conclude with a reference to a web site that you can use to fi nd examples of how to do some of these tasks to secure a Microsoft Windows 2000-based computer. Near the end of the pamphlet, there is a reference to a web site that contains checklists you can use to record information about the steps you have taken to secure your computer. Whether your computer runs Microsoft ® Windows ® , Apple’s Mac OS, LINUX, or something else, the issues are the same and will remain so as new versions of your system are released. The key is to understand the security-related problems that you need to think about and solve. 3 Thinking About Securing Your Home Computer Before diving into the tasks you need to do to secure your home computer, let’s fi rst think about the problem by relating it to something you already know how to do. In this way, you can apply your experience to this new area. So, think of your computer as you would your house, your apartment, or your condo. What do you know about how that living space works, what do you routinely do to keep it secure, and what have you installed to improve its security? (We’ll use this “computer-is-like-a-house-and- the-things-in-it” analogy throughout, departing only a few times to make a point.) For example, you know that if you have a loud conversation, folks outside your space can probably hear you. You also routinely lock the doors and close the windows when you leave, and you don’t give the keys to just anyone. Some of you may install a security system to complement your practices. All of these are part of living in your home. Let’s now apply similar thinking to your home computer. Email, instant messaging, and most web traffi c go across the Internet in the clear; that is, anyone who can capture that information can read it. These are things you ought to know. You should always select and use strong passwords and exercise due care when reading all email, especially the unsolicited variety. These are things you ought to do. Finally, you can add a fi rewall, an anti-virus program, patches, and fi le encryption to improve the level of security on your home computer, and we’ll call these things you ought to install. The rest of this pamphlet describes the things you ought to know, do, and install to improve the security of your home computer. Home Computer Security 4 Things You Ought To Know One starting point for solving home computer security problems is being aware of how the Internet and some of its technologies work. If you know how they work, you can evaluate solutions to the problems that come up. You can also use the Internet more safely and responsibly. In this section, we’ll talk about two topics: trust and information in the clear as it crosses the Internet. Trust Human beings are trusting by nature. We trust much of what we hear on the radio, see on television, and read in the newspaper. We trust the labels on packages. We trust the mail we receive. We trust our parents, our partner or spouse, and our children. We trust our co-workers. In fact, those who don’t trust much are thought to be cynical. Their opinions may be all too quickly ignored or dismissed. The Internet was built on trust. 1 Back in the mid 1960s, computers were very expensive and slow by today’s standards, but still quite useful. To share the expensive and scarce computers installed around the country, the U.S. government funded a research project to connect these computers together so that other researchers could use them remotely. This project was called the ARPAnet, named after the government research agency – ARPA, the Advanced Research Projects Agency – that funded and managed the project. Key to the ARPAnet was the level of trust placed in its users; there was little thought given to malicious activity. Computers communicated using a straightforward scheme that relied on everybody playing by the rules. The idea was to make sharing 5 ideas and resources easy and as effi cient as the technology of the day provided. This philosophy of trust colors many of the practices, procedures, and technologies that are still in place today. Only within the last few years, when Internet commerce (known as e-commerce) began to spread, it has become inadequate to rely principally on trust. Since the days of the ARPAnet, we’ve changed the way we use computer networks while others have changed the underlying technologies, all in an attempt to improve the security of the Internet and the trust we place on it. Let’s dig deeper into two examples of what we trust in our daily lives. When you receive mail through the post offi ce, many envelopes and the letters in them contain the sender’s address. Have you ever wondered if those addresses were valid; that is, do they match the address of the person or persons who really sent them? While you could check to see that those addresses are valid and refer to the person they name, it’s not an easy task. How would you go about it? Would you call the phone number provided with the letter? That number could also be invalid, and the person that answers the phone could be as misleading as the original address. Perhaps you could call directory assistance or the police department that has jurisdiction over the town where the letter was supposedly from. They might be helpful, but that is likely to take lots of time. Most people wouldn’t bother. And it’s not just return addresses either. How about advertisements, news stories, or the information printed on groceries? Suppose you were on a low-fat diet. You’d want to buy foods low in fat. To select the right foods, you’d read the product label at the grocery store. How do you know that the label information is valid? What’s to say it’s not forged? And how would you know? The Internet has many of the same issues, and email is one of the best examples. In an email message, an intruder can easily fabricate where the came from. But this information forging – called spoofi ng by intruders and security professionals – is not limited to just email. In fact, the basic unit of information transferred on the Internet – called a packet – can also be easily forged or spoofed. What does this mean and why should you care? It means that any information you receive from some other computer on the Internet should not be trusted automatically and unconditionally. When you trust an email message that turns out to have a harmful virus attached Home Computer Security 6 to it, your computer can be infected, your fi les destroyed, and your work lost. And that’s why you should care. This is how the Internet works. It was built on trust. Over time, there have been technological changes that are worthy of a higher level of our trust than before. Nonetheless, a true sense of insecurity is better than a false sense of security. So, think about the information you trust. Be critical and cautious. Information in the Clear When you have a conversation with someone in your living space, everybody within earshot can hear the words and probably understand them. If your conversation is especially loud and your windows open, even passersby can hear. If you want privacy, you and your conversation partner need to go to another room and close the doors and windows. The Internet works much the same way, except the room is much, much bigger. When you send email, browse a web site, or chat online with someone, the conversation between you and that person does not go directly from your computer to his or her computer. Instead, it goes from your computer to another computer to still another computer and so on, eventually reaching his or her computer. Think of all of these computers as an Internet “room.” Anyone, or, more accurately, any program, in that Internet room that can hear that conversation can also probably understand it. Why? Because just like the conversation at home, most Internet conversations are in the clear, meaning that the information exchanged between computer systems is not concealed or hidden in any way. Again, this is how the Internet works. You need to know that the information sent across the Internet may be at risk of others listening in, capturing what you send, and using it for their own benefi t. Later in this pamphlet, we’ll talk about encryption as a way to address this problem. Encryption uses mathematics to conceal information. There are many programs you can install to encrypt the information you send across the Internet. [...]... products that provide the capabilities you need to secure your home computer Commercial versions have even more features that can further protect your computer Firewalls are an important part of your home computer s security defenses To see an example that shows how to operate a firewall, see http://www.fedcirc.gov/homeusers/HomeComputerSecurity/examples.html Task 5 - Make Backups of Important Files and... files and folders on your computer, limit access where you can On your computer, use encryption programs either when you can’t restrict access to the extent that you’d like or when you want even more security protecting your computer files and folders To see examples that show how to use an encryption program and how to adjust ACLs, see http://www.fedcirc.gov/homeusers/HomeComputerSecurity/examples.html... OK, you also need to “walk” around your home computer to see if there are any viruses lurking about Most anti-virus programs let you schedule periodic exams of all files on your home computer on a regular basis, daily for example If you leave your computer turned on over night, think about scheduling a full-system review during that time 9 Home Computer Security Some anti-virus programs have more advanced... hardware firewalls is coming down as the demand grows A firewall is your security guard that stands between your home computer and the Internet It lets you control which traffic your computer accepts It also controls which of your programs can connect to the Internet With a firewall, you define which connections between your computer and other computers on the Internet are allowed and which are denied There are... briefcase or computer case before being allowed to pass) Back to the office building, when employees leave the building, they may also have to swipe their ID card to show that they’ve left A visitor signs out and returns their temporary badge Both may be subject to having their possessions inspected before being allowed to leave 17 Home Computer Security Firewalls can also recognize and record when a computer- to -computer. .. home computer and which are allowed to leave That’s the easy part The hard part is deciding the details about the packets that are allowed to enter and exit your home computer If your firewall supports content filtering, you also need to learn which content to allow and which not to allow To help you get a handle on this harder task, let’s return to our security guard analogy Imagine that you are that security. .. permanent by not including it in your rules Where possible, allow only temporary connections 19 Home Computer Security As you run each program on your home computer, you’ll learn how it uses the Internet Slowly you’ll begin to build the set of rules that define what traffic is allowed into and out of your computer By only letting in and out what you approve and denying all else, you will strike a practical... secure your home computer Their order is based on how intruders attack computers, beginning with the most-often used attack methods By starting with the lower numbered tasks, you address the biggest problems you face in securing your home computer Remember that most sections end with a reference to a web site that you can use to find an example of how to do the task on a Microsoft Windows 2000 computer Task... just home computers – when they use viruses and worms Installing an antivirus program and keeping it up to date is among the best defenses for your home computer If your financial resources are limited, they are better spent purchasing a commercial anti-virus program than anything else To see an example that shows how to operate a virus checker, see http://www.fedcirc.gov/homeusers/HomeComputerSecurity/examples.html... you needed it? 21 Home Computer Security Think back to your home computer Do you have a “spare tire,” meaning a way to continue computing when you have a “blowout” caused by a malfunction or an intruder? Said another way, can you back up your files onto some other media so that you can recover them if you need to? If you’d never buy a car without a spare tire, why did you buy a computer without a device . responsible for having insurance when you Home Computer Security Home Computer Security 2 drive a car, you need to also be responsible for your home computer s security. This pamphlet explains how. install to improve the security of your home computer. Home Computer Security 4 Things You Ought To Know One starting point for solving home computer security problems is being aware of how. 1 Thinking About Securing Your Home Computer 3 Things You Ought To Know 4 What Should I Do To Secure My Home Computer? 7 Summary 33 End Notes 34 Acknowledgements 34 iv Property has its duties as